synergy of the scap program and ietf activities bof
Post on 16-Mar-2016
39 Views
Preview:
DESCRIPTION
TRANSCRIPT
November 9, 2010
IETF 79Beijing, China
Synergy of the SCAP Program and IETF Activities BOF
Chairs: Kent Landfield kent_landfield@mcafee.comSteve Hanna shanna@juniper.com
List: scap_interest@ietf.org
Synergy of the SCAP Program and IETF Activities BOF
2
Note WellAny submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC
and any statement made within the context of an IETF activity is considered an "IETF Contribution". Such statements include oral statements in IETF sessions, as well as written and electronic communications made at any time or place, which are addressed to:
The IETF plenary session The IESG, or any member thereof on behalf of the IESG Any IETF mailing list, including the IETF list itself, any working group or design team list, or any other list
functioning under IETF auspices Any IETF working group or portion thereof The IAB or any member thereof on behalf of the IAB The RFC Editor or the Internet-Drafts function
All IETF Contributions are subject to the rules of RFC 5378 and RFC 3979 (updated by RFC 4879).
Statements made outside of an IETF session, mailing list or other function, that are clearly not intended to be input to an IETF activity, group or function, are not IETF Contributions in the context of this notice.
Please consult RFC 5378 and RFC 3979 for details.
A participant in any IETF activity is deemed to accept all IETF rules of process, as documented in Best Current Practices RFCs and IESG Statements.
A participant in any IETF activity acknowledges that written, audio and video records of meetings may be made and may be available to the public.
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
3
BOF Agenda Welcome and Agenda Overview, Logistics NIST and SCAP
– Tim Grance (10 minutes) SCAP Overview
– David Waltermire and Kent Landfield (40 minutes) Compare and Contrast MIBs and Yang Modules with SCAP
capabilities– Juergen Schoenwaelder (20 minutes)
NEA/SCAP Integration– Steve Hanna (30 minutes)
CYBEX Usage of SCAP Specifications– Takeshi Takahashi (15 minutes)
Customer Perspective – Boeing– Stephen Whitlock (10 minutes)
Open Mic - 45 minutes
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
4
BOF ParticipationDate: Tuesday, November 9, 2010Time: 1520-1810BOF info:
http://trac.tools.ietf.org/bof/trac/wiki/WikiStart#SecurityBOF email archive: http://www.ietf.org/mail-archive/web/
scap_interestJabber discussion access:
scap@jabber.ietf.orgListen to audio at:
http:/videolab.uoregon.edu/events/ietf/ietf795.m3u
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
5
NIST AND SCAP
November 9, 2010
Tim Grance, US National Institute of Standards and Technology
Synergy of the SCAP Program and IETF Activities BOF
6
NIST & Security AutomationCommitted to supporting the role of open
voluntary international industry consensus standards bodies
See this SCAP BOF exploration as an important step in that direction
Need to build consensus with the private and public sectors
Understand that change in specifications by the standards body, with wide stakeholder consultation is necessary and appropriate
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
7
SCAP OVERVIEW
November 9, 2010
Kent Landfield, McAfeeDavid Waltermire, US National Institute of Standards and Technology
Synergy of the SCAP Program and IETF Activities BOF
8
Why are we here?Meet and greet between SCAP and the IETF
SCAP has achieved a great deal but is looking for the maturity of the IETF standardization process to take the next step forward
Trying to determine if it makes sense to move development of some SCAP specifications into the IETF
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
9
What is SCAP ?
Secure Content Automation Protocol (SCAP) is a suite of selected open specifications that enumerate software flaws, security related configuration issues, and product names; measure systems to determine the presence of vulnerabilities; and provide mechanisms to rank (score) the results of these measurements in order to evaluate the impact of the discovered security issues. SCAP defines how these specifications are combined.
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
10
What is SCAP NOT!
Not a single Protocol
Not serving a single use case
Does not exist only to support the US government
Not a compliance only set of standards
Not an English-only set of specifications and uses
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
11
Feature Benefit
Standardizes how computers communicate vulnerability information – the specifications
•Enables interoperability for products and services of various manufacture
Standardizes what vulnerability information computers communicate – the content
•Enables repeatability across products and services of various manufacture•Reduces content-based variance in operational decisions and actions
Based on open community developed specifications
•Harnesses the collective brain power of the masses for creation and evolution•Adapts to a wide array of use cases
Applicable to many different Risk Management Frameworks – Assess, Monitor, Implement
•Reduces time, effort, and expense of risk and security management processes
Detailed traceability to multiple security mandates and guidelines
• Automates portions of compliance demonstration and reporting• Reduces chance of misinterpretation between Inspector General/auditors and operations teams
Enables the assessment and reporting of security controls
• Automates compliance demonstration and reporting
SCAP Value
November 9, 2010
12
Current SCAP Vendors
Synergy of the SCAP Program and IETF Activities BOF
13
SCAP Community Information Community References: http://measurablesecurity.mitre.org/
index.html
SCAP Homepage: http://scap.nist.gov
SCAP Validated Tools: http://nvd.nist.gov/scapproducts.cfm
National Checklist Program: http://checklists.nist.gov
National Vulnerability Database: http://nvd.nist.gov
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
14
What are we trying to accomplish?
Provide a standardized means for developing security content
Provide standardized and actionable resultsProvide a means for real interoperability between
security productsProvide visibility into the security posture of an
enterpriseReduce the cost of managing networked
environments
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
15
What is SCAP? (1 of 3)
The Security Content Automation Protocol
Created to bring together existing specifications and to provide a standardized approach to maintaining the security of enterprise systems
SCAP ...– provides a means to identify, express and measure
security data in standardized ways.– is a suite of individually maintained, open specifications– defines how these specification are used in concert– includes standardized reference data -- SCAP Content
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
16
What is SCAP? (2 of 3)
• Community developed• Machine readable XML• Reporting• Representing security
checklists• Detecting machine
state
– Community developed– Product names– Vulnerabilities– Configuration items
LanguagesMeans of providing
instructions
EnumerationsConvention for identifying and
naming
MetricsRisk scoringframework
Community developed Transparent Metrics
Base Temporal Environmental
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
17
What is SCAP? (3 of 3)
CVE Common Vulnerability Enumeration
Standard nomenclature and dictionary of security related software flaws
CCE Common Configuration Enumeration
Standard nomenclature and dictionary of software misconfigurations
CPE Common Platform Enumeration
Standard nomenclature and dictionary for product naming
XCCDFeXtensible Checklist Configuration Description Format
Standard XML for specifying checklists and for reporting results of checklist evaluation
OVAL Open Vulnerability and Assessment Language Standard XML for test procedures
OCIL Open Checklist Interactive Language Standard XML for human interaction
CVSS Common Vulnerability Scoring System
Standard for measuring the impact of vulnerabilities
Naming
Expressing
Assessing
Scoring
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
18
What are SCAP’s Use Cases? (1 of 2)
SCAP Use Cases:Configuration Management – determine whether system
configuration settings comply with organizational policies
Vulnerability Management – detect and prioritize known vulnerabilities (software flaws) on a system
Patch Compliance – determine whether appropriate patches have been applied on a system
System Inventory – identify products installed on the system (e.g., hardware, operating system, and applications)
Malware Detection – detect presence of malware on a system, allowing zero day signature building for consumption by SCAP validated products
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
19
AssetManagement
Vulnerability Management
ConfigurationManagement
CVECVSS
CPE CCESCAP
OVAL
Compliance Management
XCCDF
Misconfiguration &Patch Compliance
What are SCAP’s Use Cases? (2 of 2)
Malware Detection
Software Inventory
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
20
eXtensible Checklist Content Description Format (XCCDF)
Internet Draft: draft-waltermire-scap-xccdf-00
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
21
What is XCCDF?The Extensible Configuration Checklist
Description Format
IETF I-D: draft-waltermire-scap-xccdf-00
An XML-based specification– Expresses security checklists supporting multiple use
cases– Expresses the results of an assessment
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
22
XCCDF
Document
HTML
XML Other tools
Compliance tools
XCCDF Functional Use Cases
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
23
XCCDF and Checking EnginesXCCDF does not specify platform-specific rule
checking logic.The Rule/check element contains information for driving a
platform-specific checking engine.
XCCDF Benchmark Evaluation Tool
XCCDFBenchmark
Platform-specificchecking engine
Targetsystem
Tailoring values,Tests to perform
Test results
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
24
XCCDF and Check System Interaction
Collect, structure, and organize guidance
Score and track general compliance
Define tests to check compliance
Define state evaluation logic
Characterize state details
Support guidance tailoring and customization
Gui
danc
e S
truct
ure
and
Cus
tom
izat
ion
Che
ck E
ngin
eA
sses
smen
t
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
25
XCCDF Data Model
XCCDF defines the following key object types:
Profile
Rule
ValueA set of related recommendations and values; can be nested
The complete documentBenchmark
Group
An individual recommendation
Support tailoring, guidance for multiple roles, rule reuse
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
26
XCCDF SummaryEnables authoritative definition of security
policy/guidance that can be shared across a community
Reduces interpretation errors caused by converting prose guidance into an automatable form
Enables interoperability between tools– Standardized content– Consistent result reporting
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
27
NAMING CONVENTIONS FOR VULNERABILITIES AND CONFIGURATIONS
Internet Draft: draft-landfield-scap-naming-00
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
28
Common Vulnerabilities and Exposures (CVE)
Dictionary of standardized descriptions for vulnerabilities and exposures– Over 40,000 entries
Publicly accessible for review or download from the Internet
ID: CVE-2007-1751Description: Microsoft Internet Explorer 5.01, 6, and 7 allows remote attackers to execute arbitrary code by
causing Internet Explorer to access an uninitialized or deleted object, related to prototype variables and table cells, aka "Uninitialized Memory Corruption Vulnerability."
Reference: BUGTRAQ : 20070612 ZDI-07-038 - Microsoft Internet Explorer - Prototype Dereference Code Execution Vulnerability
Reference: MS : MS07-033
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
29
Common Configuration Enumeration (CCE)Assigns standardized identifiers to configuration
issues/items, allowing comparability and correlation Over 10,000 entries
ID: CCE-3121-1Description:The "restrict guest access to application log" policy should be set
correctly. Technical Mechanisms: (1)HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\
RestrictGuestAccess
(2) defined by Group Policy
Parameter: enabled/disabled
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
Naming Convention SummaryWhen dealing with information from multiple sources, use of naming conventions can:
– improve data correlation– enable interoperability– foster automation
30 November 9, 2010
COMPARE AND CONTRAST MIBS AND YANG MODULES WITH SCAP CAPABILITIES
Juergen Schoenwaelder
November 9, 2010Synergy of the SCAP Program and
IETF Activities BOF31
NEA AND SCAP INTEGRATIONSteve Hanna
November 9, 2010Synergy of the SCAP Program and
IETF Activities BOF32
NEA Reference Modelfrom RFC 5209
Posture Collectors
Posture Validators
PostureTransportServer
Posture Attribute (PA) protocol
Posture Broker (PB) protocol
NEA Client NEA Server
Posture Transport (PT) protocolsPostureTransportClient
PostureBrokerClient
PostureBrokerServer
November 9, 201033 Synergy of the SCAP Program and IETF Activities BOF
Nesting of NEA Messages
PT
PB-TNC Header
PB-TNC Message (Type=PB-Batch-Type, Batch-Type=CDATA)
PB-TNC Message (Type=PB-PA, PA Vendor ID=0, PA Subtype= OS)
PA-TNC Message
PA-TNC Attribute (Type=Product Info, Product ID=Windows XP)
PA-TNC Attribute (Type=Numeric Version, Major=5, Minor=3, ...)
November 9, 201034 Synergy of the SCAP Program and IETF Activities BOF
SCAP Compliance Checkswith NEA
SCAPPosture Collector
SCAPPosture Validator
PostureTransportServer
Posture Attribute (PA) protocol
Posture Broker (PB) protocol
NEA Client NEA Server
Posture Transport (PT) protocolsPostureTransportClient
PostureBrokerClient
PostureBrokerServer
November 9, 201035 Synergy of the SCAP Program and IETF Activities BOF
with SCAP-related messages
CYBEX USAGE OF SCAP SPECIFICATIONS
Takeshi Takahashi
November 9, 2010Synergy of the SCAP Program and
IETF Activities BOF36
CUSTOMER PERSPECTIVE
November 9, 2010Synergy of the SCAP Program and
IETF Activities BOF37
Stephen Whitlock, Boeing
OPEN MIC DISCUSSION
November 9, 2010Synergy of the SCAP Program and
IETF Activities BOF38
Synergy of the SCAP Program and IETF Activities BOF
39
Juergen’s QuestionsWhat is the focus of SCAP?
– A single device or a a collection of devices or the network?
What can the IETF learn from previous related efforts?– What has been successful and why?– What failed and why?
To what extent is SCAP different from just more configuration and reporting?
Does SCAP integrate into the idea of network-wide configuration?
November 9, 2010
Synergy of the SCAP Program and IETF Activities BOF
40
Questions for DiscussionInterest in community to move forward ?
– Who here would like to work on the topic?– Who would be interested in editing drafts / reviewing
them?– Who thinks IETF should have a working group in this
area?Industry Demand for Security AutomationFeasible approach ?Side effects / overlaps ?Commitment potential ?
November 9, 2010
top related